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ABSTRACT 
Basically near field communication isa cousin of Bluetooth but is far more advantageous In the most peculiar forms, being sald because ofits very short 
range whic is no more Ihara few centimetres and having & data fal of 424KDit/sec. Near leld communication or the NFC. its name fell suggest that 
data tansler al very close proximity. Which i one ol is very Key features that eneures the sacunly of the daa. NFC is standardized as ISO 18092 and 
Uses AFID/Rado Frequency identiication) whichis one very crux part of powering up the NFC lags, emulation cards or peer devices. NFC devices Ike 
‘smartphone's and tablets have NFC either built int its phone ar an tothe baler ofthe phone, 
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1. INTRODUCTION 


Nec stands for Near Field Communication. The specification dotalls of NFC can be found in ISO 18082. The main 


Ccharactertie of NEC ie that i ig a wireless communication iterace with a working distance lented to about 10 em. The 
interface can operate in several nades. The modes are distinguished whether a device creates its own RE field or whether a 
dovice retrieves the power trom the RF field generated by another device. I the device gonerates ts own ld Is called an 
active device, alherwis i is called a passive device, Active devices usually have a power suppy.passive devices usualy 
dont (e.g, conlactoss Smart Gard). When two devices communicate thee diferent configurations are possible. These are 
desered in Table 1. These coniguraions are important because the way dala ie transmited depends on whether the 
trangmiting deviee isin aca or passive mode. In actve mode the data is sent using amplitude shit keying (ASK). This 
means the base RF signal (19.56 MHz) is modulated withthe dala according fo a coding ‘scheme. I the baudrate fe 108, 
Baud, the coding schome is the so-called moditied Miler coding. I the baudrate is greater than 106 kBlaud the Manchester 
Coding schema fs apie. In both cading schemes a single dala bt ie sent ina fixed lime slo. Ths tne sll fe divided info 
twa halves, called hall is. In Miler coding @ zero le encoded with a pause in the fist hall i and no pause ln the second hall 

‘Aone is encoded with no pause in the frst bi, but a pause in the second half bi In the modified Miler coding some 
adttonal rules are applied on the coding of zeres. in the ease of a one followed by a Zero, twa subsequent hal bits would 
have a pause. Modlied Miler coding avoids this by encoding a zero, which directly follows a one with two hal bits with no 
‘pause Inthe Manchester coding the situation is nearly the same, but instead of having a pause in the is or second hal bi, 
the whole hal bit is ether a pause or modulated. Besides the coding scheme also the strength of the modulation depends on 
the baudrale. For 106 KBaud 100% modulation i used. This means thal in a pause the AF signal is actualy zero. No AP 
signal is sent in a pause. Far baudrates greater than 108 kBaud 10% modulation rata is used. According lo the delintion 
this modulation ratio, ths means that in @ pause the AF signal e nat Zero, but lle about 82% of the level ol a non-paused 
signal. This diference inthe modulation strength i very important fram a secuy pont ol view as we wil describe later on in 
the security analysis In passive mode the data is sen! using a weak load modulation. The dala is always encoded using 
Manchester coding with a modulaon of 10%. For 106 kBaud a subcarrier frequency is used for the modulation, for baudrates 
‘greater than 106 KBaud the base RF signal al 12.56 MMe is modulated. Additionally o the active and passive mode, there are 
two diferent roles a device can play in NFC communication. NFC is based on a message and rely concept. This mean one 
dovice A sends a message to another device B and device B sends back a reply. I isnot possible for device B fo send any 
dala ta device A wihout frst receiving some massage from device A, Io which it could reply. The role of the device A which 
Stars he dala exchange i called inator, te role ol the ether device i called target. 


2. COMMUNICATING USING NFC TAGS 
NFC devices use a special NFC tag, which are programmed to perform a specie operation, bere being controling any home 
appliance. The NFC uses RFID with which the NEC tags are powered up. The prncile here is Electromagnetic Induction. 
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aie Fam Davis A gaverses RF Tel 
fray fae Davis 8 gertes RF Tel 
works a “Artansormer ware the primary wining i tbe 
NEC device and secondary device Ie the NFC tag. The NEC 
{ag contain afew tum of el which pick up the magnetic bes 
A ‘loro when teomes in coract withthe device, This i 
Shown In Flute 1. When the power is ecalved tothe NEC tag 
it prfoms varous tasks that are programmed ino The f 
haw a NFC tag looks he (Fipice OTe NFC tag has @ 
|_| EEPROM in he 1C basicaly fo potentiate the tag to read and 
— ‘wie data in oo om The petra sa-explanatory. The 
NEG dove coullbe a Nigh end smantone len Sasung 
Noted or Google Nexus 4a HTC one. Those phones are used 
Figure {Dwi he progam info the NG tag and the program tune 
i \whenever the smartphone thal was Used to wnt he program 
BES tag wih wie ce ‘is brought into contact with the tag. There are different modes: 
in NPG which were desorbed i Yale 1. Hove ts pcre tat 
NFC tag ‘ul halp you at cee andestndin he regen NEC 
(Figure 3). A peer fo peer communicalen has both device 
{Eve and iho oat ofthe modes use a ong ave dove 
3. PROGRAMMING OF NFC TAGS 
y ‘The man advantage of NFC ie thal I has gol a Nghiy 
‘Tag antenna ‘sophisticated programming tool kit where the user has to only: 
acrewrmenonstan | Soph pomemring tl or he se a 
‘Tho software’ apps are. avaiable onplaystos. NEC Task 
Intnchor i the best fo use. Those shages show tho NEG 
Tag ic ‘ask Launcher. Basel programming’ NEC tag ot a card 
emo may-menecssen | emulator is a very user friendly task. Here are a few images 
fat guide you haw to program 8 tag. 
{Solel the NEG Task Launchor aur 4) 
yg Inlay 2 Sale! he + option (Figure 5) 
{ Aewanenansmeesc | 3 Cheon New task Fue 6} 
4, Sot be pf Aton at has be pres Fue 
5 Select the any of he aplication that i o be embeded In 
{othe NFC tag, orinstancs camera (Figure 8. 
Figure Chek on save and wrt, and the tack of programming the 
THE tay paar vaos als Pal are pOgITOT TOT NEC tag is completed when you place the NF tap neat the 
hone ater savy (eure 3) 
7.Figue 10 show how the camera sats up when he tag i touched othe phone. 
. 
BY 4. SECURITY 
va 4.1. Threats (Eavesdropping) 
randori Because NFC isa welss communication inttace is bvous thal eavesdropping isan 
inorta ss. When two devices Conmuricato a NFG ney use AF waves fo tak to each 
‘ter An atacr carol course use a anna ala receive th anand signals: ther 
ty experimenting or by Heratur research to attacker can have te fequed krowedge on 
ow tentacle transmiod data ot ote voceved AF signal: Also the econ roqued 
to veceve the RF signal as wal a the equgment to decode the RF signal mute assumed 
to be avalable to an attacker as there Te no special equpment necessary. The NEC 
‘Conmuntaton fe usualy done between wo devces In oes proxy The means they re 
not more than 10 em (yplaly les) away rom each lhe, The mln question fs how clge an 
Attacker noods tobe Wi be abo to rotieve'a usabw FF signal Urtonunatly, re i 10 
Correct anawor to this quoaton. Tw reason fr ta she hug numberof paramnetrs which 
deterring te newer: or expe he stance Spends on the alg parr, ah 
there ara many more 


Figures 
Modes FC 


+ Quality ofthe attacker's 
* Quality ofthe attacker's 


+ RF filed characteristic f the given sender device (Le, antenna geometry, shielding affect of 
the ease, the PCB, the envicanment) 

+ Characteristic of the attacker's antenna (Le. antenna geometry, possibilty to change the 
postion in al 3 dimensions) 

RF signal decoder 


“Setup of the locaton whore the attack is performed (.g. barriers lke walls or metal, noise flor level) 
“Power sant out by the NEC davice 


“Therelore any exaet number given would only be valid far acertaln ge of the above given parameters and cannat be used to 
derive goneral security guidelines. Additionally it sof major importance in which mode the sender othe data is operating, 
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Figure 4 Figure 5 Figure 6 
‘Selec he NFO Task Lanner Select he + Opa akon Waw Task 


Figure 7 Figure @ Figure @ 


‘Select ha ype of Acton Wathastobeparomed — Selactina any oltieappicaiontaretabe — “Cick on ave and wife, andthe Tasco 
fembeddadin fo the NEC ag, for nance programming tne NEC tags completed when 


You lace the NFC tag near the phone alr 
taving 


= 


n' 


Figure 10 
‘Shows How i Camera Sars Up when Weta soured The prone 


This means whether the sender is generating its own AF field (active mode) or whether the sender is using the RF field 
‘generated by another device (passive mode). Both cases use a dillerent way ol ransmiting the dala and tia much harder fo 
avesdrop on deviees sending dala in paseive mode in order to nal leave the reader withoul any idea on haw big the 
‘eavesdropping distances are, we give the folowing numbers, which as slated above are nat valid in general al al, but can 
‘only serve to give a ough idea about Ihese distances. When a device & sending data in active mode, eavestkopping can be 
done up to a distance of about 10 m, whereas when the sending device Is in passive mode, this distance is signiicantly 
reduce io about tm, 


4.2. Secure channel for NFC 
The best method for a secure transmission of data is by using a NEC specific key agreement. It does not requite any 
asymmetric eyptography and therefore reduces the computational requirements significantly. Theoretical. it also provides 
perfect secur. The scheme works wih 100% ASK only andl isnot part ofthe ISO slandard an NFC. The idea is that both 
‘vices, say Device A and Device B, send random data at he same lie na selup phase the bwo devices synchronize on 
the exact ming of the bis and also én the amplitudes and phases ofthe RF signal Ths is possble as devices can send and 
receive al the same time. Alter that synchronisation, A and B are able to send at exactly the same time with exactly the same 
amplitudes and phases. While sending random bits of 0 or 1, each device also listens to the RF teld. When both devices 
Send a zero, the sum signals zero and an altacker who i istning, would know that bath devices sent a zero. This does not 
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help. The same thing happens when both, A and 8, send a one. The sum 
ig the double RF signal and an attacker knows that both devices sent 2 
‘one. It gets interesting once A sends a zero and B sends a one or vice 
Versa, In this case both devieas know what the other device has sent 

because the devices know whal they themsolves have senl. However. an 
atacker only sees the sum RF signal and he cannot figure out which 
‘davice sent the zero and which device sent the one. Ths idea slustrated 
in Figure 11. The top graph shows the signals produced by A in red and by 
Bin blue. A'sonds the four bis: 0,0, 1, and 1. B sends the four bts: 0,1, 
and 1, The lower graph shows the sum signal as eaen by an allacker. It 
shows thal fr the bit combinations (A sends 0, B sends 1) and (A sends 1. 

Bsend 0) the result lor tha allacker is abgolutaly the same and the 
attacker cannol distinguish these two cases. The two devices now discard 
al bits, where both devices sent the same value and collect all bis, whore 
the two devices sent diferent values. They can either collect the bits sent 
by A or by B. This must be agreed on start-up, butt doesn't matter. This 
way A and & ean agree on an arbiray long shared secrel. A new bits 
‘generated with a probablity ot 50%. Thus, the generation of a 128 bit 
shared secret would need approximately 256 bis to be translerred. At a 
baud rate of 108 ABaud this takes about 2.4 ms, and le thertore last 
‘enough for all applications. The secur of this protocol in practice depends 
fn the qualty of the synchronisation which is achieved betwaen the two 
‘devices. Obviously, i an eavesdropper can cstingush data sent by A trom 
‘dala sent by B, the proocal ie broken, The dala must matchin amplitude 
land in phate. Once the diferences between A and B are signticantly 
below the noise level received by the eavesdropper the protocol is secure 
‘The lovel of security therelore also depends on the signal qualty atthe 


‘eceiver. The signal qualty however again depends on many parameters (eg. distance) ofthe eavesdropper. In practice the 
{wa devices A and B must aim at pelect synchronisation. The can only be achieved ia least ane of A or Ble an active 


vie to perf this synchronization, 


5. CONCLUSION 


Presently there a considerable number of high-end smart phones in Indian market which have the feature of NEC. but the 
feature int used Io is polenta, The programming explained above isthe easiest form a embedding task ino a tag or card 
‘mulator. The applications of NEC has greater scope in everyday lle, mainly home-aulomation where diferent home: 
pplances can be controlled using a NFC device and a passive NEG lag or card emulator. Even Keyless door entry systom 


‘ean be achieved using NF and a NXP Lego ki 
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